Reported by mailto:marius.mlynski@gmail.com, Mar 26 2016
The fix for issue 590118 is insufficient to protect against bindings interception. While they can't be accessed by triggering accessors on the |modules| object anymore, it's still possible to trap the set operation for |Binding.create| using Object.prototype.create. The obtained constructor can then be used to take over the the built-in extensions system and gain access to native functions.
Chrome 49.0.2623.108 (Stable) Chrome 50.0.2661.49 (Beta) Chrome 51.0.2687.0 (Dev) Chromium 51.0.2692.0 + Pepper Flash (Release build compiled today)
Link: https://bugs.chromium.org/p/chromium/issues/detail?id=598165